Risk Assessment —

Botnets increasingly wielded for ideological uses

Botnets are developing new attack strategies, increasingly used by …

Botnets, or networks of zombie computers that mount attacks with malicious software against other computers, continue to be a moving target for network protection services. A recent report from Prolexic Technologies describes some of the new strategies that botnets are using to take down their targets in attacks that are increasingly of a political bent.

The Prolexic report focuses on the increase of DDoS attacks, where multiple computers overload the available bandwidth of a system through methods such as IP spoofing or DNS request floods. Botnets like BlackEnergy typically mount attacks consisting of between 1 and 7 Gbps of straightforward requests on the system by computers under its control, but Prolexic has found that the size and techniques of the attacks are changing.

While most networks are able to protect themselves against around 10Gbps of attacks, Prolexic notes that attacks are swelling to 50Gbps in size, and attacks nearing 100Gbps are increasingly common. Usually network admins can watch for a certain threshold of traffic and use packet inspection and firewalls to detect botnets, but the attackers have found some ways to thwart these measures.

To get around threshold-based protection, attacking computers will use a variety of IP addresses and attack at a much slower rate, making the attack requests difficult to discern from legitimate ones, or attacking intensely with a small set of IP addresses until they are shut down, then repeating the attack with another set. Another popular method is to use encrypted pages for data flooding wherever possible, as few providers monitor the contents of those pages.

According to an article by the BBC, these new attacks have become popular among politically and ideologically motivated groups who wish to shut down the sites of their opponents. The frequency of attacks that are motivated by a cause is on the rise-—one example cited is an animal rights group attack against the sites of various perfume manufacturers. Another attack was mounted by the anti-Scientology group Anonymous against some Australian government websites in protest of the government's plans to start blocking access to some sites, such as those containing gay pornography.

To combat these new strategies, Prolexic has recommended a few new courses of action. One approach would be to validate computers by profiling the their capabilities to differentiate between real users and automated scripts. Another would be to build adaptive models of acceptable behavior on the network and comparing users' habits to the standard. A more simplistic strategy is to maintain a database of friendly vs. malicious IP addresses and monitor or block the access of the latter.

While these strategies are effective in some ways, Prolexic notes that they are not very effective in dealing with the encrypted data attacks. The only method the company has derived so far to combat encrypted data is a tool to decrypt and inspect the encrypted transactions to look for suspect data.

As botnets continue to develop, longevity has become difficult for the botnets to achieve—the larger a bot is, the more likely people are to know about it and be able to identify it. What may happen is that botnet creators will forego their pursuit of sheer size and numbers and instead start pursuing toughness and longevity—along with a dash of subtlety to avoid detection.

Casey Johnston
Casey Johnston is the former Culture Editor at Ars Technica, and now does the occasional freelance story. She graduated from Columbia University with a degree in Applied Physics. Twitter@caseyjohnston